THE CONNECTED INTELLIGENCE PODCAST

November 20, 2024

Understanding the True Scope of Insider Risk for Modern Enterprises

Investigations
Insider risk, misconduct, and fraud prevention
Fred Burton

Watch Now

Connect with us wherever you get your podcasts

YouTube →

Apple Podcasts →

Spotify →

Deezer →

iHeartRadio →

Pandora →

RSS →

Related Resources

Article

Enhance Your Insider Risk Program with These 6 Systems Integrations

Podcast

Future-Proofing Businesses Against Insider Risks: Tim Kirkham on Managing Dell’s Global Security

Checklist

How to Run Effective Insider Risk Investigations

In this episode

Fred Burton speaks with Robin Welch-Stearns about understanding the true extent of insider risk for modern corporate security teams. Robin shares her insights from her time at the CIA and Google, highlighting the differences between insider risk in public and private sectors, as well as what led her to starting Pacific Resilience Group. She discusses the importance of creating a comprehensive approach to managing insider threats by understanding the motivations behind them, using data analytics, and fostering collaboration between cybersecurity and physical security teams.

Learn more about Ontic’s Incidents, Investigations, and Case Management.

View the transcript

+

Ch 1: Introduction

+

0:00

Fred:
Hi, I’m Fred Burton here today with Robin Welch-Stearns. Robin started her career at the Central Intelligence Agency where she spent five years in the Directorate of Operations. She spent that time undercover working to support intelligence gathering all over the world. While at the agency, she was recruited to help start the Global Investigations Program at Google. In her 12 years at Google, Robin shaped global programs on insider risk, workplace violence, threat detection, in Management, Intelligence, Investigations, and Physical Security. Robin, welcome to the Ontic Connected Intelligence Podcast.
Robin:
Thank you so much for having me, Fred.
Fred:
It’s our pleasure. Robin, can you tell us a little about your background and what led you to starting the Pacific Resilience Group?
Robin:
Why did I start Pacific Resilience Group? What led me to starting Pacific Resilience Group? I spent five years at the agency and learned a ton. The training was remarkable. Then I went to Google where we were a really small lean team and watched it grow. I developed a lot of contacts. I saw a gap in the industry where people either went from government straight to consulting or working at security consulting firms. And there wasn’t a lot of private sector experience where people understood the culture and could speak to the employees and could understand how a tech company works really. And I saw that gap and after 12 years at Google, which most people will tell you each year is like dog years. So 12 years ended up being a lot longer. And I just saw this gap, especially with females in this space. And I wanted to help other females and other tech companies really mature their security programs.

Ch 2: Common form of insider risks in organizations today

+

2:26

Fred:
Yeah, that’s an amazing story. And someone with your background, not only at the agency, but at Google, how would you define insider risk and What are the most common forms it takes in organizations today?
Robin:
That’s a great question. I’d like to start by answering that. by saying that insider risk in the corporate space is very different from what you see in the public sector. I think a lot of people come out of the public sector and they still have that counterintelligence hat on and they see nation state sponsored espionage or insider risk as something that is really important that they want to tackle, but really, Insider risk needs to be thought of far more broadly, and it’s very rare that you have state sponsored espionage it’s something like 1% of insider risk is actually state sponsored. The definition of insider risk is the potential for an organization’s data, people, or resources to be negatively impacted by someone with legitimate access. So we need to remember that this is current employees, former employees, contractors, business partners, even spouses who come for lunch, significant others, but really the most common form is negligence. Something like 55 to 60% of insider risk incidents happen from negligence.

Ch 3: Strategies for preventing insider threats

+

4:00

Fred:
Yeah, that’s a fascinating stat. I did not know that, so thank you for sharing that. Robin, what are some effective strategies or frameworks organizations can implement to detect and prevent insider threats?
Robin:
Well, I think understanding the data, it’s about a comprehensive approach. Data loss prevention tools are important. Now combining all of this user entity and behavior analytics, training policies, access control, asset protection, and of course your exit procedures. Now, I think it’s really important for this conversation. To bucket our insiders really if you’re developing a comprehensive insider risk program. I’ve talked about negligence, but then you also have malicious insiders. So all of these approaches that I’ve talked about can help. even with your nation state actors. So if you’re developing a comprehensive approach, they will catch your nation state actors, which I know a lot of our leaders really care about because that’s what grabs the news. That’s very cloak and dagger. And those are the stories that you predominantly see. on the news. But really, if you take your tools, your data loss prevention tools, your behavior analytics, that will get negligence, that will catch negligence. It will, if you’re doing it right, catch malicious insiders. Training will catch negligence, which is a huge portion. Your policies so much aren’t going to catch, of course, malicious insiders or even nation state actors. But Once you have this full approach that uses DLP and access controls, asset protection, and really getting your exit procedures done right, really it’s about looking at the life cycle of an employee.

Ch 4: Cyber-physical convergence

+

5:54

Fred:
Yeah, that’s fascinating. So in context, you would view that as that convergence of also cyber and physical, right?
Robin:
Absolutely. We have to work together. I was just asked this question yesterday. One of the most important things that you can do, which, um, you know, we were still working on when I left Google is bridge that physical security with your, um, SecOps group. And really work together to bridge these gaps, to make sure that your physical security and your security operations are really working well together.

Ch 5: Psychological factors that drive insider threats

+

6:30

Fred:

How important is it to understand the psychological factors that drive insider threats? You know, from background in the U.S. government, that appeared to be something that we were always discussing or looking at some of these spy scandals. And let’s be blunt, no agency has been untouched by that. So from a psychological factor perspective, what are some of the signs that organizations should look out for?

 

Robin:

Yeah, you know, it’s tough because This is where your USG experience or public sector experience can really help is we are trained to understand the different motivations. And what you see the most is financial gain, even if it’s not someone who is angry at the company. Financial gain is a huge motivation for both your nation state actors, both inside the US government and in the private sector. So really looking at that, the other thing that I think is interesting is we don’t want to get distracted by things that we think will drive insider risk. For example, geopolitical events. We’re not seeing a lot of new insider risk cases, being driven by someone who is upset about geopolitical events so we don’t want to focus too much there that’s you’re going to see protests disruption. But you’re not seeing insider risk come out in huge amounts here. But what you want to look at is financial gain. That will cover, like I’ve said, what you want to do is create a comprehensive program so that you catch all three buckets that we’ve labeled, right? So financial gain touches everybody, really. And what you see in some of the really famous insider risk cases, Anthony Levandowski with Uber and Waymo with autonomous vehicles, there’s financial gain and everyone at every level, if Anthony Levandowski was working at the highest level at Google, you still see that financial gain. So I think it’s really important to pay attention to that.

 

Fred:
Yeah, that’s fascinating. When you start putting that in context, you know, let’s face it, a company like Google, you would think that most executives are very well paid. And it’s like anything else, I guess, that folks just want a little bit more.
Robin:
Exactly. But remember, at the time, this happened in, I want to say, 2016, the race for autonomous vehicles was the thing, similar to AI. Now, the scarier part about AI and insider risk is the capital that’s being put in. If you look at the VC investments, you are seeing Sometimes a $100 million per employee being invested, you know that that wasn’t even close to what the autonomous vehicle race was doing but you can think about how insider risk and Google saw this last year where. There was an engineer who was working two jobs, similar to Anthony Levandowski. And this race for AI is really going to cause some problems in the insider risk space, both for financial gain, malicious, and of course, your nation state actors.

Ch 6: AI solutions for insider risk

+

10:37

Fred:
Yeah, and you touched on something that I’d just love to know your opinion on this. Do you think there’s a potential AI solution to insider risk?
Robin:
I do and I don’t. I think this could be my background speaking, but yes, I do think we need to incorporate AI and machine learning and insider risk far more than we do. We have to automate this stuff, right? But you’ll never get away from that human set of eyes that has to be on it. An employee that you are looking at who is doing something in a data center is going to have much different habits. They live in a different area versus someone who is living in Mountain View, California, for example. You have to be able to take those nuances and think critically about the behavior that is going on.

Ch 7: Training and awareness around insider risk

+

11:38

Fred:
Yeah, that’s fascinating. Now, what role does employee training and awareness play in reducing insider risk? What topics should be prioritized when it comes to employee training and awareness in your assessment?
Robin:
Good question. Look, we need to build training around the metrics and around the data. So if we’re seeing most cases are negligence, we need to train towards negligence. We need to be clear about what can happen. There’s a great case that happened out of Heathrow Airport, where an employee lost a sensitive USB that had the route the queen takes to the airport, credentials that are needed, perimeter security, all sorts of stuff. That was negligence. And we need to share these cases so that people understand that even the best employees make mistakes and that you need to constantly be careful. And we need to write this into policies and everything and make sure that we are clear that negligence can be a policy violation.

Ch 8: Challenges and opportunities in managing insider risk

+

12:56

Fred:
Interesting. Looking ahead, what do you think will be the biggest challenges and opportunities in managing insider risk in the next five to 10 years.
Robin:
So I touched a little bit on this earlier. I think our opportunities are huge in insider risk right now. Our job is really to help the business thrive. We shouldn’t be as security professionals, people who say no with a lot of regularity. We could be yes, but. So I see a ton of opportunities in this space. We don’t want to be alarmist. And like I said, we can use AI and all of these new technologies coming out to help our businesses thrive. Now, we also need to understand what’s going on around us. We need to understand the data and put resources where they matter. And this is going to happen fast in the next four to five years. Our challenges will be the race to monetize AI and seeing how that shakes out. Will it continue to result in more AI companies popping up? And, you know, as these companies move fast, you know, there’s always been this tech mindset of move fast and break things. We have to keep up. We have to allow our business leaders to really run and try to win these races. But we have to keep up with them. And we have to make sure that we are going to be there. and create policies and procedures that allow our businesses to be successful. And we can’t allow these companies that we’re working for to think of security as a fourth or fifth thought, which as these companies are moving so fast and getting this funding, security is back of mind. But if we’re positive leaders in the security world, we can get their attention and hopefully get their buy-in.
Fred:
Yeah, that’s very good advice. Speaking of advice, what would you give to leaders and decision makers on fostering an environment that balances security with employee autonomy?
Robin:
I think it’s really simple. Treat employees like adults, and they’ll act like adults.

Ch 9: Robin’s time in the CIA

+

15:24

Fred:
Now, I would be remiss for not asking this question. Do you miss the agency?
Robin:
Oh, absolutely. There are a lot of things that I miss. When you work at a place as special as CIA, and you are given the privilege of walking across that seal every day that you all have seen in movies, there’s a certain responsibility, but there’s also a living history that you are so fortunate to be around every day. Fred knows this, but I was lucky enough to sit next to the wonderful George Cave for many, many years. Amazing career. Amazing career. He retired before I was even born. So he was working there as a contractor, writing his memoirs. I was, one of my trainers was Howard Bain. um you know who I will never forget got sat really close to me in training and said okay when you’re going to you know, recruit someone and really make the pitch, you know, touch him on the knee, really look him in the eye. And I was sitting this close from the Howard Bain. Um, I got to meet the COS who was in Tehran for unfortunately 444 days. Um, but really just people who give their lives so that we can live here in a way that, and you will never hear about it. You will never hear about the things that George did that, you know, he’s, I certainly spent years with him and I heard a lot, but, you know, there’s stuff I will never know. There is stuff that the wonderful John Mullen has done that is just incredible and, you know, has changed the course of the world and we’ll never hear about it. And that is just something that is really special.

Ch 10: What does Connected Intelligence mean to you?

+

17:27

Fred:
Yeah, for sure. Now, before we go, I’ve got to ask you this question. We ask all of our guests this question. What does connected intelligence mean to you?
Robin:
Great question. This is something, when I think of connected intelligence, this is something that’s really important to me. When I looked around before starting Pacific Resilience Group, and I had spent time in the, a long time in the private sector, you know, everybody was locking down stuff. Your security firms, your consultants that would come in, no one was sharing information. And when I started this company, I wanted to disrupt the security industry. I wanted to share things for free. I wanted to really provide knowledge that we shouldn’t be charging for. Because at the end of the day, it’s not an abstract concept that we’re protecting people. These people exist. We know them. My spouse works at a company. My kids go to a school. The more we share, the safer we all are. So connected intelligence means to me that we are sharing information, that we are helping each other as much as possible because at the end of the day, it helps every single person.
Fred:
Now, I appreciate that. Now, is there anything that you would like to say that I haven’t asked you?
Robin:
Um, great question. Let’s see. Um, you know, I would, if you are curious about insider risk and you want help please just reach out you can look at my website Pacific resilience group.com. I’ve done a lot in the insider risk space and want to help companies come up with common sense approaches. This isn’t something that you have to have a ton of headcount or a ton of money to do. There are a lot of common sense strategies that you can deploy that will keep your people safe and most importantly, help your business thrive.

What you’ll learn

01

Differences in insider risks between public and private sectors, and common forms these risks take within organizations

02

Strategies and frameworks for detecting and preventing insider threats, emphasizing data analytics and employee training

03

Psychological factors and motivations behind insider threats, and the opportunities and challenges AI presents in managing these risks

More about our guest

Robin Welch Stearns, now President and Founder of Pacific Resilience Group, started her career at the Central Intelligence Agency where she spent five years in the Directorate of Operations. She spent that time undercover working to support intelligence gathering all over the world. While at the Agency she was recruited to help start the Global Investigations program at Google. In her 12 years at Google, Robin shaped global programs on insider risk, workplace violence, threat detection and management, intelligence, investigations and physical security.

Connect with Robin